hook to allow apps to add addional domains to CSP frame-src, eg. used by sitemgr to allow access to its sites, also fixed not displayed sidebox menu of old apps

phpgwapi/inc/class.egw_framework.inc.php

@@ -122,6 +122,16 @@ abstract class egw_framework
 		return implode(' ', self::$csp_script_src_attrs);
 	}
 
+	/**
+	 * Query additional CSP frame-src from current app
+	 *
+	 * @return array
+	 */
+	protected function _get_csp_frame_src()
+	{
+		return $GLOBALS['egw']->hooks->single('csp-frame-src', $GLOBALS['egw_info']['flags']['currentapp']);
+	}
+
 	/**
 	 * Send HTTP headers: Content-Type and Content-Security-Policy
 	 */
@@ -135,7 +145,11 @@ abstract class egw_framework
 		// - "connect-src 'self'" allows ajax requests only to self
 		// - "style-src 'self' 'unsave-inline'" allows only self and inline style, which we need
 		// - "frame-src 'self' manual.egroupware.org" allows frame and iframe content only for self or manual.egroupware.org
-		$csp = "script-src 'self' ".($script_attrs=self::csp_script_src_attrs())."; connect-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' manual.egroupware.org";
+		$frame_src = array("'self'", 'manual.egroupware.org');
+		if (($additional = $this->_get_csp_frame_src())) $frame_src = array_merge($frame_src, $additional);
+
+		$csp = "script-src 'self' ".($script_attrs=self::csp_script_src_attrs()).
+			"; connect-src 'self'; style-src 'self' 'unsafe-inline'; frame-src ".implode(' ', $frame_src);
 		//error_log(__METHOD__."() script_attrs=$script_attrs");
 		//$csp = "default-src * 'unsafe-eval' 'unsafe-inline'";	// allow everything
 		header("Content-Security-Policy: $csp");

phpgwapi/js/jsapi/egw.js

@@ -200,7 +200,7 @@
 		}
 
 		// set sidebox for tabed templates
-		var sidebox = egw_script.getAttribute('data-setSidebox');
+		var sidebox = egw_script.getAttribute('data-setSidebox') || jQuery('#late-sidebox').attr('data-setSidebox');
 		if (window.framework && sidebox)
 		{
 			window.framework.setSidebox.apply(window.framework, JSON.parse(sidebox));